Chrome 68 to condemn all unencrypted sites by summer

Google has put a July deadline on a 2016 promise that its Chrome browser would tag all websites that don't encrypt their traffic.

"Beginning in July 2018 with the release of Chrome 68, Chrome will mark all HTTP sites as 'not secure,'" wrote Emily Schechter, a Chrome security product manager, in a Feb. 8 post to a company blog.

Google has scheduled Chrome 68 to release in Stable form - analogous to production-level quality - during the week of July 22-28.

Starting then, Chrome will insert a "Not secure" label into the address bar of every website that uses HTTP connections between its servers and users. Sites that instead rely on HTTPS to encrypt the back-and-forth traffic will display their URLs normally in the address bar.

Google's campaign to call out HTTP websites as unsafe began in 2014, with the search giant ramping up the effort in September 2016, when it told users Chrome 56 would shame pages that didn't encrypt password or credit card form fields. Chrome 56 debuted in late January 2017, and immediately started to apply the "Not secure" label to pertinent pages.

The push for always-HTTPS - backed by Google and others, including Mozilla, maker of Firefox - has worked, Schechter argued. Eighty-one of the web's top 100 sites, she asserted, now used HTTPS by default, while 68% of Chrome traffic on Windows and Android (by pages) and 78% on both macOS and Chrome OS was encrypted. That was up significantly from September 2016, when Schechter said half of all Chrome desktop page loads were being served via HTTPS.

Eventually, Chrome's "Not secure" label will be accompanied by a red-for-danger icon.

IDG/Gregg Keizer

At some point, Chrome will not only tell users that a HTTP page is "Not Secure," but will add a red-for-danger icon to emphasize the point.

Users can enable Chrome's new HTTP tagging now by typing chrome://flags in the address bar, then finding the item described as "Mark non-secure origins as non-secure." Selecting "Enable (mark with a Not Secure warning)" and relaunching Chrome replicates what Chrome 68 will display after Google sets that option as the default. Choosing "Enable (mark as actively dangerous)" displays the red icon as well.

What Google does - or doesn't - with Chrome has a huge impact on the web simply because of the browser's massive influence. In January, for instance, analytics vendor Net Applications pegged Chrome's user share at 61.4%, making it as dominant as Microsoft's Internet Explorer was in 2010, when Google's browser was just two years old.

That user share has enormous sway over all sites, a club and carrot that Google constantly wields. No site wants to give all those Chrome users the impression that it's unsafe, and to be avoided. As a result, many sites have fallen in line with Google's demand that the web go all-in on HTTPS.